OWASP Developer Guide

Implement Security Logging and Monitoring Checklist

4.2.9 Checklist: Implement Security Logging and Monitoring

Logging is recording security information during the runtime operation of an application. Monitoring is the live review of application and security logs using various forms of automation.

Refer to proactive control C9: Implement Security Logging and Monitoring for more context from the OWASP Top 10 Proactive Controls project, and use the list below as suggestions for a checklist that has been tailored for the individual project.

Security logging

  • Log submitted data that is outside of an expected numeric range.
  • Log submitted data that involves changes to data that should not be modifiable
  • Log requests that violate server-side access control rules
  • Encode and validate any dangerous characters before logging to prevent log injection attacks
  • Do not log sensitive information
  • Logging controls should support both success and failure of specified security events
  • Do not store sensitive information in logs, including unnecessary system details, session identifiers or passwords
  • Use a cryptographic hash function to validate log entry integrity

Security logging design

  • Protect log integrity
  • Ensure log entries that include untrusted data will not execute as code in the intended log viewing interface or software
  • Restrict access to logs to only authorized individuals
  • Utilize a central routine for all logging operations
  • Forward logs from distributed systems to a central, secure logging service
  • Follow a common logging format and approach within the system and across systems of an organization
  • Synchronize across nodes to ensure that timestamps are consistent
  • All logging controls should be implemented on a trusted system
  • Ensure that a mechanism exists to conduct log analysis


The OWASP Developer Guide is a community effort; if there is something that needs changing then submit an issue or edit on GitHub.